Tools

"... This paper studies the equi-satisfiability of metric linear temporal logic (LTL) and its qualitative subset. Metric LTL formulas rely on the next operator to encode distances, whereas qualitative LTL formulas use only the until modality. The paper shows how to transform any metric LTL formula M into ..."

This paper studies the equi-satisfiability of metric linear temporal logic (LTL) and its qualitative subset. Metric LTL formulas rely on the next operator to encode distances, whereas qualitative LTL formulas use only the until modality. The paper shows how to transform any metric LTL formula M into a qualitative one Q, such that Q and M are equi-satisfiable over words with variability bounded with respect to the largest distances used in M (i.e., occurrences of next), but the size of Q is independent of such distances. Besides the theoretical interest, these results may help simplify the verification of systems with time-granularity heterogeneity, where large distances are required to express the coarse-grain dynamics

...3 are related to a construction used in temporal testers [28]. The definition of bounded variability in Section 2 translates to discrete time a notion introduced for dense (or continuous) time models =-=[33, 16, 18, 7]-=-. Hirshfeld and Rabinovich studied the expressiveness and decidability of Pnueli operators over dense time [20]; the operators themselves were first mentioned in a conjecture attributed to Pnueli [1, ...

...rge reactive systems which may possess huge set of data values. Runtime verification has been steadily gaining popularity, but vagueness still exists regarding its applicability in real-time systems [=-=Colombo et al. 2009-=-]. The introduction of a monitor overseeing a system, normally slows down the system, which may prove to affect the system performance or real-time systems. However, the introduction of monitors also ...

"... Abstract. This paper deals with runtime enforcement of untimed and timed properties with uncontrollable events. Runtime enforcement consists in modi-fying the executions of a running system to ensure their correctness with respect to a desired property. We introduce a framework that takes as input a ..."

Abstract. This paper deals with runtime enforcement of untimed and timed properties with uncontrollable events. Runtime enforcement consists in modi-fying the executions of a running system to ensure their correctness with respect to a desired property. We introduce a framework that takes as input any regu-lar (timed) property over an alphabet of events, with some of these events being uncontrollable. An uncontrollable event cannot be delayed nor intercepted by an enforcement mechanism. Enforcement mechanisms satisfy important properties, namely soundness and compliance- meaning that enforcement mechanisms out-put correct executions that are close to the input execution. We discuss the condi-tions for a property to be enforceable with uncontrollable events, and we define enforcement mechanisms that modify executions to obtain a correct output, as soon as possible. Moreover, we synthesize sound and compliant descriptions of runtime enforcement mechanisms at two levels of abstraction to facilitate their design and implementation. 1

...ite). (10,Write) In the timed setting, several monitoring tools for timed specifications have been proposed. RT-Mac [20] permits to verify at runtime timeliness and reliability correctness. LARVA =-=[8,9]-=- takes as input safety properties expressed with DATEs (Dynamic Automata with Times and Events), a timed model similar to timed automata. In previous work, we introduced runtime enforcement for timed ...

"... In critical systems, it is frequently essential to know whether the system satisfies a number of real-time constraints, usually specified in a real-time logic such as timed regular expressions. However, after having verified a system correct, changes in its environment may slow it down or speed it u ..."

In critical systems, it is frequently essential to know whether the system satisfies a number of real-time constraints, usually specified in a real-time logic such as timed regular expressions. However, after having verified a system correct, changes in its environment may slow it down or speed it up, possibly invalidating the properties. Colombo et al. [1] have presented a theory of slowdown and speedup invariance to determine which specifications are safe with respect to system retiming, and applied the approach to duration calculus. In this paper we build upon their approach, applying it to timed regular expressions. We hence identify a fragment of the logic which is invariant under the speedup or slowdown of a system, enabling more resilient verification of properties written in the logic. 1.

...ic such as timed regular expressions. However, after having verified a system correct, changes in its environment may slow it down or speed it up, possibly invalidating the properties. Colombo et al. =-=[1]-=- have presented a theory of slowdown and speedup invariance to determine which specifications are safe with respect to system retiming, and applied the approach to duration calculus. In this paper we ...

"... Abstract—Robustness of embedded systems under potential changes in their environment is crucial for reliable behaviour. One typical environmental impact is that of the inputs being slowed down — due to which, the system may no longer satisfy its specification. In this paper, we present a framework f ..."

Abstract—Robustness of embedded systems under potential changes in their environment is crucial for reliable behaviour. One typical environmental impact is that of the inputs being slowed down — due to which, the system may no longer satisfy its specification. In this paper, we present a framework for analysing the behaviour of synchronous programs written in Lustre under such environmental interference. Representing slow input by stuttering, we introduce both strong and weak slowdown robustness constraints with respect to this phenomenon. Fur-thermore, static and dynamic algorithmic techniques are used to deduce whether such constraints are satisfied, and the relationship between stateful programs and the slowdown model considered is explored.

...the static deduction of a program’s resource requirements, making it ideal for the design of embedded systems. Although retiming analysis techniques for continuous time can be found in the literature =-=[3]-=-, our approach adapts them for discrete time, the timing model used by Lustre and other synchronous languages. Such a theory requires addressing a number of considerations. In Section II we define str...

"... Abstract Runtime enforcement is a powerful technique to ensure that a running system satisfies some desired properties. Using an enforcement monitor, an (untrustworthy) input execution (in the form of a sequence of events) is modified into an output sequence that complies with a property. Over the l ..."

Abstract Runtime enforcement is a powerful technique to ensure that a running system satisfies some desired properties. Using an enforcement monitor, an (untrustworthy) input execution (in the form of a sequence of events) is modified into an output sequence that complies with a property. Over the last decade, runtime enforcement has been mainly studied in the context of untimed properties. This paper deals with runtime enforcement of timed properties by revisiting the founda-tions of runtime enforcement when time between events matters. We propose a new enforce-ment paradigm where enforcement mechanisms are time retardants: to produce a correct output sequence, additional delays are introduced between the events of the input sequence. We consider runtime enforcement of any regular timed property defined by a timed automa-ton. We prove the correctness of enforcement mechanisms and prove that they enjoy two usually expected features, revisited here in the context of timed properties. The first one is soundness meaning that the output sequences (eventually) satisfy the required property. The second one is transparency, meaning that input sequences are modified in a minimal way. We also introduce two new features, i) physical constraints that describe how a time retar-

...n upper-bound on the overhead induced on the target system. The authors also identify a subset of the duration calculus, called counter-examples traces, where properties are insensitive to monitoring =-=[26]-=-. Our monitors not only differ by their objectives but also by how they are interfaced with the system. We propose a less restrictive framework where monitors asynchronously read the outputs of the ta...